A regular reader pointed me to the Daily Mail (a UK tabloid) article describing how they had a security expert "hack" one of the new biometric passports with an electronic Radio Frequency IDentification (RFID) microchip to extract all of the digital data. They arranged to simulate intercepting the passport being mailed from the government to the citizen. Because the passport had this RFID chip, it could be remotely interrogated, they were able to do this without even opening the postal envelope containing the passport. Of course, the data was encrypted, so then the security expert had to break that (and he succeeded). The only apriori information he needed was the citizen's date of birth, which he obtained through searching the Internet. The entire process took four days, but in the end, he was able to recover all of the passport's digital data, which even included the citizen's digital picture.
It seems pretty obvious that they either didn't bother to do a proper independent security analysis before they developed and deployed the system or the managers discounted the results of any one that was done. Because of that lapse, now it seems that they need to rethink their encryption scheme at the very least. When they do, it might make sense to add some type of limit to the number of times a passport can be interrogated with an incorrect password, either in a certain time window or an accumulated number over the life cycle of the passport.